İpek Koray

Avukat

10.03.2022

THE RIGHT TO BE FORGOTTEN WITHIN THE FRAMEWORK OF THE LAW ON THE PERSONAL DATA PROTECTION

A guide on the right to be forgotten has been published by the Personal Data Protection Authority within the scope of “Evaluation of the Right to be Forgotten in Search Engines”. The legal definition of the right to be forgotten is included in the guide published by the Authority. The right to be forgotten is described as; “The ability of an individual to request to not raise or remove information that has been disseminated in accordance with the law in the past and is of correct nature from access depending on the passage of time” in the guide.

The right to be forgotten generally refers to the right of individuals to request that access to their personal data be blocked. Therefore, the right to be forgotten provides an appropriate tool to fulfill the requests of individuals to reduce access to news, comments and content that will have a bad effect on their reputation.

In The European General Data Protection Regulation, art.17, ”obligation to delete" is regulated and this provision refers to the requirements of the right to be forgotten. In the aforementioned provision, it is stated that the right to delete may be used if the data processing conditions expire, provided that exceptions are reserved. 

The decision of Google and Google Spain is the first and precedent-setting decision before the European Union regarding the right to be forgotten. The decision in question no longer contains up-to-date information about the past situation of the person whose data was shared on the Internet regarding the incident in the relevant news. ABAD tarafından verilen kararın temeli işlenen verinin üzerinden geçen süre zarfında artık herhangi bir geçersiz ve ilgisiz olmasına dayandırılmıştır. Due to the fact that the data owner's status at the time of processing the data has disappeared, it is no longer a benefit to have this data in the search engine.

As stated in the guide published by the institution, the criteria determined according to the concrete event are: “The person in question playing an important role in public life, the subject of the search results being a child, accuracy of the informations content, the relation of the information to the person's work life, the information being insulting, defamatory, slandering, the information being personal data of a private nature, the information being up-to-date, the information causing prejudice about the person, the information posing a risk to the person, the information being/not being published by the person, the content covering the data processed within the scope of journalistic activity, there being a legal obligation to publish the information, the information being related to a criminal offense."

Law no.6698 on Personal Data Protection in accordance with art.7, the provision “deletion, destruction and anonymization of personal data” is included. In accordance with the provisions of PDPL art.7, it has been regulated that personal data processed may be deleted, destroyed or anonymized at the request of the data subject or in person (provided that the situations contained in the provisions of other laws are reserved). Article 7 of the PDPL states that the deletion of data will be possible with the disappearance of the reason for processing. In accordance with art.11/par. e of the relevant law, if the conditions in art.7 are met, it explicitly grants the data owner the right to exercise the right to be forgotten. Law No. 6698 gives the data owner and the data controller multiple options which are to delete, destroy and anonymize the data related to the exercise of the right to be forgotten.  The basic basis of the right to be forgotten in domestic legislation is the article 20 of the Constitution, which regulates the processing of personal data as well as its deletion.

In the decision of the Personal Data Protection Board dated 23/06/2020 and numbered 2020/481, some criteria have been determined for the deciphering of personal data from the index in the search engine. As stated in the guidance published by the institution, the criteria determined according to the concrete event: “The public play an important role in a person's life , subject to the search results to be the child of the accuracy of the content of information ,information of the person's working life has nothing to do with knowledge about the relevant person insulting, defamatory, libellous , the information is personal data of a private nature to have the quality of information timeliness of information about the person that leads to a bias of the person to bear the risk of information in terms of information to be issued by the person himself ,the situation in the journalistic coverage of the scope of activity of the processed data ,content, information on the publication of a legal obligation to be the punishment of a crime related to information requires that you have” it is in the form of.

When the criteria based on the decision made by the Board are examined, it is understood that the public interest is primarily taken into account for the deletion of the data. It is obvious that the fact that personal data continues to be processed without serving any purpose will also breach the principle of privacy of private life, which is one of the Constitutional rights granted to the data owner.

There is a certain procedure that the data subject whose personal data has been processed must follow in order to exercise his right to be forgotten within the scope of PDPL. The person must first apply to the data controller for the deletion, destruction or anonymization of the processed data. In accordance with PDPL art.13, it has been decided that it should be made by a written application to the data controller or by another procedure determined by the Board.  In continuation of this provision, the data controller has been given time to conclude the request positively or negatively within 30 days at the latest. The requirement to apply to the data controller provided for is an obligation in the law. After the relevant person fulfills the requirement to apply to the data controller, in accordance with PDPL art.14 he will be able to file a complaint with the Board  In accordance with PDPL art.14/1, in order to submit an application to the Board, the application to the data controller must be rejected, it must not be answered within the legal period specified in the law, or the answer must be insufficient. The person concerned will be able to file a complaint with the Board within thirty or sixty days after learning the data controller's answer. In addition to the complaint to be made to the Board, PDPL art.14/3 holds the right for the relevant person to seek compensation in accordance with the general provisions.